I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

For years, Microsoft has refused to offer financial rewards to researchers who tell the company about security flaws in its software, even as GoogleGoogle and FacebookFacebook have ratcheted up their so-called “bug bounty” programs. Now the software giant has suddenly changed its mind–and it’s even offering even bigger bounties in some cases than those competitors.

On Tuesday Microsoft announced that it’s now willing to pay up to $100,000 for information about security bugs that can be used to bypass the defenses of Windows, starting with the upcoming preview version of Windows 8.1 to be released later this month. For researchers who also detail new defensive techniques for preventing similar bugs from being exploited in the future, Microsoft will pitch in an extra $50,000 “Defense Bonus” per submission.

“These are super challenging to discover and they require a new technique,” says Mike Reavey, director of Microsoft’s Security Response Center. “So to get people thinking in this area really does require a top-dollar reward.”

Aside from those $100,000 and $50,000 bounties, Microsoft will also pay up to $11,000 for exploits affecting the preview version of Internet Explorer 11, a strategy designed to fix the software’s bugs before it’s widely released to users. “[Most organization] don’t offer bounties for software in beta, so some researchers would hold onto vulnerabilities until the code is released to manufacturing,” reads a blog post about the bug bounty program from Microsoft’s senior security strategist Katie Moussouris. “Learning about these vulnerabilities earlier is always better for us and for our customers.

Microsoft’s payouts compare to just $20,000 offered by Google for bugs in its Web applications, though the search firm did briefly offer $150,000 for a bug in its Chrome operating system in a competition in January and $60,000 for bugs in its Chrome browser the year before. Mozilla offers up to $3,000 for bugs in its software. Facebook pays a minimum of $500 but doesn’t specify its maximum reward.

Since Bill Gates‘ Trustworthy Computing memo in 2002, Microsoft has created a reputation for working closely with the security research community, hiring hackers and hosting the Blue Hat security conferences in Redmond. At the Black Hat conference last year it awarded the first Blue Hat prize for researchers who develop defensive techniques against exploits, totally $260,000 in rewards.

So why only start paying bounties for bugs in its software now? Microsoft’s Reavey says that the company has been receiving a growing stream of reports through third-party bug buying programs like the HP-owned Zero Day Initiative and Verisign’s iDefense, which pay up to $10,000 for bugs and report them the software’s vendor. It also saw the impact of events like the annual Pwn2Own competition, where hackers are sometimes paid six-figure rewards for developing advanced exploits against Microsoft products and then revealing their techniques. “We find out about [these advanced exploits] once a year through these events, or unfortunately, in the wild,” says Reavey. “We want o get them year round as early and often as possible.”

Part of the incentive for Microsoft’s program may also be the growing bounty for exploit techniques among a different community: Government and black market buyers who plan to use them for espionage or for crime. According to interviews I conducted in March of last year, a working exploit affecting Windows could earn a hacker between $60,000 and $120,000 dollars from an intelligence or law enforcement agency, and one that achieves full compromise of a Windows computer through Internet Explorer could earn as much as $200,000.

In her blog post, Moussouris alluded to those less-friendly bug-sellers, arguing that Microsoft’s program aims to give them an equally lucrative alternative, and that its “Defense Bonus” may also make their offensive hacking more difficult. “With the strategic bounty programs announced today and the industry collaboration program enhancements to come, Microsoft will simultaneously encourage those who want to work with us while increasing costs for those whose actions cannot be affected by bounties or other incentive programs.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Nice article Andy. I represent SecureState, an information security consultant, and anything to promotes innovate in security we are all for. 90 percent of companies have been breached, and I’m sure a target like Microsoft sees attempts on a daily basis. Looking forward to seeing what comes out of this.

Tony, so with Microsoft paying money for security hole reports will help what? Microsoft gets security reports now from security analyst in the industry. Tavis Ormandy’s zero day is an example. It turns out that by stressing the memory while putting the CPU in a tight loop, he was able to get SYSTEM access on all currently supported versions of Windows. Used in conjunction with a browser hole, one can gain SYSTEM access to any Windows system that visited that sight. This is a huge hole and has not been fixed by Microsoft yet as reported by Google. Why Microsoft struggles with security issues and why Ormandy’s zero day is important because it sort of indicates that the core design of Windows is flawed and can not be repaired, only patched until another way in is found and then patched again and again and again. Microsoft realizes this and created Patch Tuesday.

Does this mean that Tavis Ormandy will get the $100,000? As far as I know his method still works. I like his closing remarks, “Demo code attached. I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools.”